From a9f3b3bad17d91e2067fc00d51b0302349570d08 Mon Sep 17 00:00:00 2001 From: Andrew Cooper Date: Fri, 1 Jul 2016 01:02:04 +0100 Subject: [PATCH] x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] hvm_get_seg_reg() does not perform a range check on its input segment, calls hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[]. x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG() in {vmx,svm}_get_segment_register(). HVM guests running with shadow paging can end up performing a virtual to linear translation with x86_seg_none. This is used for addresses which are already linear. However, none of this is a legitimate pagetable update, so fail the emulation in such a case. This is XSA-187 / CVE-2016-7094. Reported-by: Andrew Cooper Signed-off-by: Andrew Cooper Reviewed-by: Tim Deegan --- xen/arch/x86/mm/shadow/common.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c index 04ce322268..7032869aad 100644 --- a/xen/arch/x86/mm/shadow/common.c +++ b/xen/arch/x86/mm/shadow/common.c @@ -140,9 +140,18 @@ static int hvm_translate_linear_addr( struct sh_emulate_ctxt *sh_ctxt, unsigned long *paddr) { - struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt); + const struct segment_register *reg; int okay; + /* + * Can arrive here with non-user segments. However, no such cirucmstance + * is part of a legitimate pagetable update, so fail the emulation. + */ + if ( !is_x86_user_segment(seg) ) + return X86EMUL_UNHANDLEABLE; + + reg = hvm_get_seg_reg(seg, sh_ctxt); + okay = hvm_virtual_to_linear_addr( seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); -- 2.30.2